Re: OpenSSL Ca
Thankyou all...Your comments helped a lot and I have managed to get my CA running perfectly.. Thanks! Anton 2010/1/12 Patrick Patterson > Ok - several things: > > 1: Does the certificate contain both an email address, and EKU of > emailProtection? > > 2: Did you import the CA certificate chain before trying to import the > certificate? > > 3: I presume this certificate is so that you can perform S/MIME encryption > - > do you have the correct values in Key Usage? ( keyEncipherment, > dataEncipherment) > > What does your openssl.cnf section say for the type of certificate > generated? > > What does your CA Certificate look like? > > If you want help setting up a CA that "just works" for most of these > different > kinds of certificates, you can grab our OpenSSL CA Setup guide > (http://www.carillon.ca/library/openssl_testca_howto_1.2.pdf) - it's for > the > more complex environment of CertiPath/US Federal Bridge interoperability, > but > it gives you a good idea of what is required for the various profiles of > certificates to have them work in various use cases (one size most > definitely > does NOT fit all, and the stock openssl.cnf isn't sufficient :) > > Have fun! > > Patrick. > > > On January 12, 2010 08:23:18 am Anton Xuereb wrote: > > The Client im trying to import the public key into is Thunderbird 3 on > > linux. > > > > The client on windows is MS outlook with winpgp installed for pgp > > encryption. > > > > The problem is being presented with thunderbird at the moment as I'm > trying > > to import the public key in order to be able to send encrypted emails to > > the windows machine. > > > > Thanks, > > > > Anton > > > > 2010/1/12 Mounir IDRASSI > > > > > Hi, > > > > > > What mail client are you using under Windows? > > > Each mail client has its own storage for private keys (Thunderbird uses > > > local NSS key storage, Outlook uses CSP and IE certificate store). So, > > > since you generated the key outside the scope of the mail client, you > > > will certainly have to create a PKCS#12 file (called also PFX under > > > Windows) containing your private key and its signed certificate and > then > > > import this file into your mail client's key storage (for Outlook, > you'll > > > have to install the PFX by double-clicking on it). > > > So, everything depends on your mail client and how it will access your > > > private key. > > > > > > Cheers, > > > -- > > > Mounir IDRASSI > > > IDRIX > > > http://www.idrix.fr > > > > > > On 1/12/2010 12:35 PM, Anton Xuereb wrote: > > >> Hi, > > >> > > >> I'm trying to create a private CA with openssl for my enterprise. I > have > > >> generated the CA private key and certificate. I have created a key > pair > > >> and a certificate signing request from a windows pc using kleopatra > (key > > >> management utility that comes with winpgp). I signed the request with > > >> the CA's key and sent the signed certificate to the windows pc and > > >> imported the certificate. I exported the public key which I sent to my > > >> laptop. I imported the certificate of my CA into my mail client and > > >> trusted it. I then imported the public key as exported from the > windows > > >> pc. It is imported but instead of being put into the People category > > >> it's sent in the Others section as it apparently does not fit in any > of > > >> the other categories. I am therefore unable to send encrypted mail to > > >> the windows pc using it's public key as my client will not use it to > > >> encrypt. > > >> > > >> The following are the commands I used in order to get to this point: > > >> > > >> In order to generate the private key and ca certificate: > > >> > > >> # openssl req -config openssl.my.cnf -new -x509 -extensions v3_ca > > >> -keyout private/myca.key -out certs/myca.crt -days 1825 > > >> > > >> I converted the request from DER to PEM format using: > > >> > > >> openssl req -in datareq.p10 -inform der -out datareq.csr > > >> > > >> In order to sign the request: > > >> > > >> # openssl ca -config openssl.my.cnf -policy policy_anything -in > > >> datareq.csr > > >> > > >> I'm at a loss at the moment so any help
Re: OpenSSL Ca
The Client im trying to import the public key into is Thunderbird 3 on linux. The client on windows is MS outlook with winpgp installed for pgp encryption. The problem is being presented with thunderbird at the moment as I'm trying to import the public key in order to be able to send encrypted emails to the windows machine. Thanks, Anton 2010/1/12 Mounir IDRASSI > Hi, > > What mail client are you using under Windows? > Each mail client has its own storage for private keys (Thunderbird uses > local NSS key storage, Outlook uses CSP and IE certificate store). So, since > you generated the key outside the scope of the mail client, you will > certainly have to create a PKCS#12 file (called also PFX under Windows) > containing your private key and its signed certificate and then import this > file into your mail client's key storage (for Outlook, you'll have to > install the PFX by double-clicking on it). > So, everything depends on your mail client and how it will access your > private key. > > Cheers, > -- > Mounir IDRASSI > IDRIX > http://www.idrix.fr > > > On 1/12/2010 12:35 PM, Anton Xuereb wrote: > >> Hi, >> >> I'm trying to create a private CA with openssl for my enterprise. I have >> generated the CA private key and certificate. I have created a key pair and >> a certificate signing request from a windows pc using kleopatra (key >> management utility that comes with winpgp). I signed the request with the >> CA's key and sent the signed certificate to the windows pc and imported the >> certificate. I exported the public key which I sent to my laptop. I imported >> the certificate of my CA into my mail client and trusted it. I then imported >> the public key as exported from the windows pc. It is imported but instead >> of being put into the People category it's sent in the Others section as it >> apparently does not fit in any of the other categories. I am therefore >> unable to send encrypted mail to the windows pc using it's public key as my >> client will not use it to encrypt. >> >> The following are the commands I used in order to get to this point: >> >> In order to generate the private key and ca certificate: >> >> # openssl req -config openssl.my.cnf -new -x509 -extensions v3_ca -keyout >> private/myca.key -out certs/myca.crt -days 1825 >> >> I converted the request from DER to PEM format using: >> >> openssl req -in datareq.p10 -inform der -out datareq.csr >> >> In order to sign the request: >> >> # openssl ca -config openssl.my.cnf -policy policy_anything -in >> datareq.csr >> >> I'm at a loss at the moment so any help would be appreciated. >> >> Thanks , >> >> Anton >> > > > -- > -- > Mounir IDRASSI > IDRIX > http://www.idrix.fr > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
OpenSSL Ca
Hi, I'm trying to create a private CA with openssl for my enterprise. I have generated the CA private key and certificate. I have created a key pair and a certificate signing request from a windows pc using kleopatra (key management utility that comes with winpgp). I signed the request with the CA's key and sent the signed certificate to the windows pc and imported the certificate. I exported the public key which I sent to my laptop. I imported the certificate of my CA into my mail client and trusted it. I then imported the public key as exported from the windows pc. It is imported but instead of being put into the People category it's sent in the Others section as it apparently does not fit in any of the other categories. I am therefore unable to send encrypted mail to the windows pc using it's public key as my client will not use it to encrypt. The following are the commands I used in order to get to this point: In order to generate the private key and ca certificate: # openssl req -config openssl.my.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 1825 I converted the request from DER to PEM format using: openssl req -in datareq.p10 -inform der -out datareq.csr In order to sign the request: # openssl ca -config openssl.my.cnf -policy policy_anything -in datareq.csr I'm at a loss at the moment so any help would be appreciated. Thanks , Anton
Signing .p10 certificate signing requests
Hi, I have a certificate signing request in the form name.p10 issued by microsoft outlook which I am trying to sign and issue and certificate for from my linux server. I am having some problems finding the correct syntax to treat this type of file as other requests I have signed have come with the .csr extension. Any ideas ? Anton
